Category Archives: Site Security
Security – Keeping it Off the Web (Page 1 of 2)
The topic of website security is seldom brought up among non-programmers and those who may not be technically inclined, yet if you operate a website, it is an issue of substantial concern to you.
Addressed in this article is a nearly universal problem, it affects almost every single PHP or CGI script I’ve ever seen. We won’t delve into the technical issues too far, this is intended for the web site owner, someone who might install the occasional PHP file or CGI script. I will assume you are not a software developer.
A general rule I like to follow when installing php scripts or web applications is this: If it doesn’t need to be on the web, it shouldn’t be there. This is obvious, but it has implications that are not always clear.
What we are mainly referring to is configuration and to a lesser extent, program libraries and source code. It may also apply to files and other resources that are controlled through a script interface. An example of this would be scripts that charge money for downloading files or set up newsletters. Lets start with an example, we’ll call it program.php. In our example, program.php is a database application using mysql to store information.
For our script to do it’s job, it will need access to your mysql password and user-name. It may also need access to many other program files and so-forth.
During installation, a control panel probably asked for your mysql credentials, it may even have asked you to change the file permissions on a configuration file of some sort. You’ve probably been through this type of install process at one time or another.
What it will do next, is write your database password and other private information to a configuration file. This usually happens without your knowledge, it is also where our problems begin.
Most people don’t catch this right away, if the configuration file is in the same directory (or sub-directory) it is web accessible. Quite often it is a php file, usually with write permissions turned on.
The extension .php does afford some degree of protection, under normal circumstances these files aren’t sent to a visitors browser but it is still unsafe.
If someone makes a slight mistake in the configuration or .htaccess file, it will dump the actual contents of “conf.php” to the users web browser, complete with your database password and other private information.
As anyone who has been around web servers very long can tell you, this is a common occurrence. I’ve personally seen it happen on several occasions.
Furthermore, many other web editing tools need to create backup files, resulting in something like config.php.BAK or perhaps config.php.tmp.
We now have a file ripe for hackers and other would-be intruders to gain access to your mysql database passwords as well as any other private information kept there.
What is most alarming is that almost every single off the shelf web based program exhibits this very problem in some form or another.
Security – Keeping it Off the Web (Page 1 of 2)
The topic of website security is seldom brought up among non-programmers and those who may not be technically inclined, yet if you operate a website, it is an issue of substantial concern to you.
Addressed in this article is a nearly universal problem, it affects almost every single PHP or CGI script I’ve ever seen. We won’t delve into the technical issues too far, this is intended for the web site owner, someone who might install the occasional PHP file or CGI script. I will assume you are not a software developer.
A general rule I like to follow when installing php scripts or web applications is this: If it doesn’t need to be on the web, it shouldn’t be there. This is obvious, but it has implications that are not always clear.
What we are mainly referring to is configuration and to a lesser extent, program libraries and source code. It may also apply to files and other resources that are controlled through a script interface. An example of this would be scripts that charge money for downloading files or set up newsletters. Lets start with an example, we’ll call it program.php. In our example, program.php is a database application using mysql to store information.
For our script to do it’s job, it will need access to your mysql password and user-name. It may also need access to many other program files and so-forth.
During installation, a control panel probably asked for your mysql credentials, it may even have asked you to change the file permissions on a configuration file of some sort. You’ve probably been through this type of install process at one time or another.
What it will do next, is write your database password and other private information to a configuration file. This usually happens without your knowledge, it is also where our problems begin.
Most people don’t catch this right away, if the configuration file is in the same directory (or sub-directory) it is web accessible. Quite often it is a php file, usually with write permissions turned on.
The extension .php does afford some degree of protection, under normal circumstances these files aren’t sent to a visitors browser but it is still unsafe.
If someone makes a slight mistake in the configuration or .htaccess file, it will dump the actual contents of “conf.php” to the users web browser, complete with your database password and other private information.
As anyone who has been around web servers very long can tell you, this is a common occurrence. I’ve personally seen it happen on several occasions.
Furthermore, many other web editing tools need to create backup files, resulting in something like config.php.BAK or perhaps config.php.tmp.
We now have a file ripe for hackers and other would-be intruders to gain access to your mysql database passwords as well as any other private information kept there.
What is most alarming is that almost every single off the shelf web based program exhibits this very problem in some form or another.
Protect your website with your ethical hacking knowledge
The first cause for websites being hacked is the lack of knowledge of their webmasters.
Hackers or even wannabe hackers can modify your website home page, steal your website profits and fame by just using ready to be downloaded exploits published into trusted and untrusted internet security portals.
Whether you have a basic knowledge of web site publishing or you are an experienced webmaster the only thing to protect yourself from hackers attacks is ethical hacking.
Ethical hacking means understanding your enemy mind, skills, intentions and strength, up to take the successful countermeasures that will save your daily hard job into developing a successful and trusted web platform.
Image damages causing shareholders and customers complaints, not to mention 6 figures money loss, is what led many big corporations to hire dozens of ethical hackers to keep their networks and web site safe from “bad” hackers.
In this article I am going to focus on the following two questions: What do ethical hackers do? What can I do to protect my website if I am not an ethical hacker?
The first step taken by hackers, should they be ethical or evil, is to scan your web application for known vulnerabilities. This can be achieved through a penetration testing process that can be manual or automated by some programs and scripts. This is the most important and crucial task in every attack attempt. And this is what an ethical hacker can’t fail.
The second step is to get a working exploit to take advantage of the vulnerability found in step 1. Here is where protection and fixes should take place to *prevent* the attack and not to just cure after the disaster. Ethical hackers in this case would be able to modify source codes to cover the holes or just reduce the success rate of the attack dramatically.
I would strongly advise to work on the first step since it is the most simple to master whether you’re not expert into security field or you just don’t have enough money to hire an experienced ethical hacker.
Internet security knowledge is what can save your site with a very cheap price. At the most basic level this can be achieved by keeping yourself informed on your websites scripts well-known vulnerabilities, available patches and security best practices.
Moreover the understanding of basic attacking vectors like Cross site scripting or SQL Injection will keep you safe from a big number of wannabe hackers that you will be able to defeat…with your knowledge! So next time you will see some suspicious activity in your website log you will be laughing at it, since not a dummy tool but your own knowledge as ethical hacker will be protecting you.